Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

Gémes Géza geza at kzsdabas.hu
Mon Oct 15 12:59:32 MDT 2012 

2012-10-15 20:20 keltezéssel, Matthieu Patou írta:
> On 10/15/2012 08:48 AM, simo wrote:
>> On Mon, 2012-10-15 at 17:10 +0200, steve wrote:
>>> On 15/10/12 16:51, Michael Adam wrote:
>>>
>>>> - Addressing one frequent request:
>>>>     There is no good reason I know for requiring a user/group to
>>>>     have the same unix-ID on all DCs for a given domain.
>>> It is of vital importance for those of us who have Linux clients in the
>>> domain and serve them using NFS, that uidNumber and gidNumber remain 
>>> the
>>> same no matter which DC is queried. When a user or group is created, we
>>> add the necessary rfc2307 classes and attributes to AD. We bypass
>>> idmap.ldb altogether. idmap_use:rfc2307 = Yes allows us to do this.
>>>
>>> Please do not remove this excellent facility.
>>> -1 to the proposal.
>>> Cheers,
>>> Steve
>> Steve I up the ante, I wouls like to remove idmap.ldb entirely, and use
>> rfc2307 attributes as the only idmap facility (for our own
>> domain/forest).
> What about workstations ? will you also give a posix uid to them ? 
> without it GPO and any file access from the workstation won't work in 
> a pure RFC2307 world.
> What about the groups used owner ? you just have to see how Andrew is 
> struggling with to understand that RFC2307 is not a good answer for this.
>
> Is there a lot of persons serving NFS from a DC ?
> Note that we could easily improve our idmap.ldb code so that when 
> allocating a UID/GID we first check in the user/group for the 
> existence of posixUID/posixGID and write down this value in our 
> idmap.ldb.
> So it looks like rfc2307 but it's not and allow us not to have a 
> special module, because the idea is that we want to avoid having to 
> much backend for the future winbindd.
>
>
>
> Matthieu
Hi,

What about the following approach: read the rfc2307 attribute from the 
directory and disregard the fact that it is a uidNumber or gidNumber and 
treat it as both (of course one must be sure, that they don't overlap 
(I've made them equal with the RID which guarantees uniqueness))

Cheers

Geza Gemes

More information about the samba-technical mailing list